Online Retailers Are Cruising Tor to Hunt for Fraudsters

contributing editor

That time of year is nigh: the holiday season, and all the commercial excess it begets. With Black Friday a month away, retailers of both the brick-and-mortar and online variety are bracing for the buying frenzy that keeps some businesses afloat for the rest of year. For e-commerce sites, this means pouring effort into preventing the growing problem of online fraud, and one strategy they’re using to thwart these fraudsters is to identify orders coming from encrypted networks like Tor.

This week, the verification company Service Objects announced a new tool to help websites detect "suspicious" visitors using Tor and other anonymous proxies. Its updated DOTS IP Address Validation product identifies discrepancies between the user's home location and the location of the IP address the order’s coming from. It joins a handful of other tools on the market promising Tor-detection for retailers.

It’s a logical strategy: If you're trying to buy something with stolen credit card, you're obviously going to want to block your real identity and location while doing it. But it also raises the question of whether targeting anonymity services to hunt out fraudsters could have chilling effects for harmless Tor users trying to protect their privacy online—particularly this year in light of the NSA-spying scandal.

What’s worrisome is when the sole fact that someone’s using an anonymity service is enough to presume they’re guilty of something criminal. This fear was fueled after documents leaked by Edward Snowden at the beginning of this month revealed the NSA has repeatedly tried (without much success) to crack Tor's encrypted network, believing it's used to enable terrorism and other criminal activities. The irony is that one of the most relied upon services to evade the invasive government cyber-spies is also being specifically targeted by them. And that in turn could inadvertently implicate people using secure browsing for legitimate reasons.

In the case of online retail, whether cruising Tor has an unintended ripple effect depends a lot on what the companies do after they’ve detected an anonymized IP address. Do you automatically ban it? Flag it for further verification? How likely is it that a user visiting an e-commerce site through Tor is committing fraud?

Pretty likely, according to a September study by another verification company, Iovation. The company analyzed 240 million transactions throughout the month of August and found that 30 percent of those using Tor were fraudulent, compared with one percent of non-Tor transactions.

Now, Iovation also sells a Tor-detecting service for preventing fraud, ReputationManager 360, so the study was hardly coming from a place of objectivity. But statistics like that and the increasing prevalence of fraudulent transactions has online retailers nervous. If a business fulfills an illegal transaction it can cost them a lot of time and money from chargebacks: Last year illegitimate purchases cost retailers a total $3.9 billion in lost revenue.

So while there’s nothing wrong with trying to spot would-be fraudsters using encryption to fly under the radar, identifying anonymized IPs should only be step one. From there, there's a range of tools and tips to verify if a user is legitimate or not, for instance checking the credit card number the person provides for the purchase against databases listing stolen account numbers.

For its part, the Tor Project tries to stay ahead of the problem—it offers its own tool to help websites sniff out bad seeds in the onion network. You can type in your server’s IP address and it will generate a list of Tor exit points that would be used to access your website. "Giving you the whole list means you can query the list privately, rather than telling us your users' IP addresses," Tor explains. Retailers can then peruse and flag orders coming in from Tor nodes for additional verification to see if it's a legitimate order, instead of resorting to a sweeping ban.